GDPR and Cookie Consent: What Businesses Need to Know
The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, affecting businesses around the world. GDPR requires any business website with customers in the EU to explain what data it collects and how that data is used. And while GDPR doesn’t provide guidance on website cookies specifically, its language about consent does apply to cookies.
In this post, we’ll look at cookie consent and GDPR and what businesses can do to make sure they’re compliant.
What are website cookies?
A website cookie is a small package of data that a website sends to a user’s browser; the browser then returns the data unaltered. Cookies may be essential to a website’s functionality. For example, websites that require a login use cookies to “remember” a user who is navigating through a website, so that the user doesn’t have to log in on every page. |
Cookies may also collect information for marketing purposes, such as products a user views or the types of websites a user visits. Websites must include language that explains how they use cookies and for what purpose.
Cookies are generally classified by:
Duration
Cookies may expire at the end of a website session or when a user closes their browser. Persistent cookies are those that remain on a user’s hard drive until their pre-set expiration date or until a user deletes them.
Provenance
This includes first-party cookies, placed by the website a user is visiting, and third-party cookies, such as advertising cookies.
Purpose
- Strictly necessary cookies: These are first-party, session-based cookies essential to website functionality. Consent is not required for these, but the website must notify visitors that these cookies are in use and explain their function.
- Preference cookies: These cookies store information about user preferences, such as location and login credentials.
- Statistics cookies: These cookies collect information about how users interact with a website, then aggregate the data to offer a view of website performance, such as the most popular pages.
- Marketing cookies: These are persistent (and usually third-party) cookies that track users' online behavior for the purpose of delivering targeted ads. These cookies may share information with other entities.
Cookie policy vs. privacy policy
GDPR does not require websites to have a separate cookie policy, but the privacy policy must explain how the site collects and uses data. Websites should also give users the option to accept or reject all cookies, or modify their cookie preferences. One study found that 40% of internet users blindly accept cookies on a website without actually researching how the cookies will be used.
GDPR vs. ePD
As we mentioned earlier, GDPR doesn’t include a section on cookies. In fact, if you search the text of GDPR, you’ll find that “cookie” is mentioned only once (in the preamble). An earlier set of regulations — the ePrivacy Directive (ePD) — does require businesses to request cookie consent, which is why ePD came to be known as “The Cookie Law.”
GDPR language covers how data is collected and used, and affords consumers certain rights to protect their privacy. That’s why it’s applicable to cookie policies.
GDPR and cookie consent
GDPR’s language has the following implications for cookie consent:
- Cookie consent should be affirmative: Users should be presented with an action (usually a clickable button) for accepting or rejecting cookies.
- Cookie consent should be freely given: Users should have a clear choice about whether to allow cookies (an “Accept all” button is insufficient; a “Reject” option must be one of the available options).
- Cookie consent should be informed: For a user to make an informed decision about consent, a website must clearly explain its use of cookies and the information they collect, as well as the purposes for collecting that information.
- Cookie consent should be accessible: The method of approving or rejecting cookies must be accessible for all users. For example, the clickable buttons would need to be accessible by mouse, and by keyboard-only.
- Cookie consent should be recorded: Websites should store information about consent, including when and how users provided consent, and how the cookie policy was worded at the time.
- Cookie consent should be changeable: This means that users who previously consented to cookies can retract their consent at any time.
Best practices for cookie management
In 2020, a French regulatory body fined Google $118.82 million USD for illegally transferring cookies to user devices without their consent. This is one of the largest GDPR-related fines to date, and it could be an indication that enforcement is ramping up.
To avoid potential fines, businesses can implement the following best practices:
- Look into which cookies are on your site: Many businesses don’t have a way to keep track of third-party cookies they previously allowed on their website. Use a tool that can scan your site for cookies, from a solution that specializes in website compliance.
- Explain what cookies are: To be compliant with data privacy laws, websites must use language that helps users understand what they’re agreeing to when they accept cookies. To that end, it’s important to explain what cookies are and how they work.
- Offer a thorough explanation of how you use cookies: A good cookie policy offers users some introductory text, with a link that leads to an expanded explanation. While users might not read that explanation, providing it is a good way to shield yourself from complaints and fines.
- Allow users to change their cookie preferences: Show users what types of cookies your site uses and allow them to change their cookie permissions for non-essential cookies.
- Review the accessibility of your cookie notification: A popup or GDPR cookie banner that introduces your privacy/cookie policy needs to be accessible for assistive reading technology.
- Review your cookie policy annually: Because data privacy regulations are always evolving, it’s good practice to review your cookie policy at least once per year.
- Consult an expert: Trying to determine which regulations apply to your site, which cookies are on your site, and whether your site is compliant can be time-consuming and stressful. Consult an expert that can evaluate your site and make recommendations that ensure compliance.
FAQs
What is a GDPR-compliant cookie policy?
A compliant GDPR cookie consent policy covers all the key points: transparent language about the presence, purpose, and use of cookies; a clear menu of options; and accessible methods for consenting to or rejecting cookies.
Do all cookies require consent in the EU?
Any cookie that is not essential to a website’s functionality requires consent in the EU.
Is GDPR cookie consent applicable to U.S. websites?
GDPR applies to any website with users in the EU, regardless of where the website originated, so it does apply to U.S. websites.
Acquia Optimize's Consent Manager
Acquia Optimize, helps companies maintain compliance with data privacy regulations. Acquia Optimize Consent Manager quickly evaluates site compliance with cookie consent requirements and provides recommendations for improvement.
Our team has years of experience analyzing websites and providing guidance on how to improve the user experience. Whether you’re looking to fine-tune your cookie policy or ensure every page on your site is accessible for users with disabilities, we can help.